Swine Flu? Probably not. Where your old I.T. equipment winds up? What are the environmental and human impacts of your old assets? Who will notice if you slip up and your CRTs get shipped abroad? What kind of media attention do you want? And if you experience
The US Environmental Protection Agency (EPA) began regulating e-waste as early as 1980 with the CERCLA Act, also known as “The SuperFund Law,” which held companies accountable for any toxic waste found in landfills. Now the EPA has adopted the position of “you make it, you take it” with electronics OEMs, making them responsible for what happens to the products they sell once they become obsolete. As a result, OEMs are now building this cost into their product pricing models for new products
The Gramm-Leach-Bliley Act , for example, requires the FTC, along with several other regulatory agencies, to ensure that financial institutions protect the privacy of consumers’ personal financial information. But the FTC’s definition of financial institution includes any entity that may handle personal financial data, and includes credit reporting agencies, banks, credit card companies, auto dealerships and a range of retail establishments that accept consumer credit cards.   Gramm-Leach-Bliley Act, (Title V, subtitle A, see 16 CFR Part 313)
The Sarbanes-Oxley Act of 2002 requires public companies and their accounting firms to ensure the security of company information and the assets that store that information. The internal controls stipulated in the Act require managers of I.T. assets to perform risk assessment and to take precautions to prevent or detect fraud.  These precautions include taking steps to ensure the security of information storage assets like computers, hard drives and backup tapes  The Sarbanes-Oxley Act of 2002, Section 404: Assessment of internal control
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) includes a Privacy Rule that requires any entity handling “protected health information” to take precautions to protect that data. The rule applies to health plans, health care clearinghouses, and to any health care provider or service firm which stores or transmits health information in electronic form, which includes insurance companies and entities that perform claims processing, data analysis, utilization review, and billing. legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services.   Health and Human Services Web site: www.hhs.gov/ocr/hipaa
The Federal Information Security Management Act of 2002 (FISMA) was meant to bolster computer and network security within the Federal Government and affiliated parties (such as government contractors) by mandating yearly audits. FISMA imposes a mandatory set of processes that must be followed for all information systems used or operated by a US Government agency or by a contractor of a US Government agency; the mandated processes follow standards set by HIPAA and other federal regulations that require risk assessment, internal controls and asset tracking.
One part of the Fair and Accurate Credit Transactions Act of 2003 (FACTA) is the Disposal Rule, which calls for the proper disposal of information found in consumer reports and records to protect against “unauthorized access to or use of the information.” Any business or individual who uses a consumer report for a business purpose is subject to the requirements of the Disposal Rule. Think this doesn’t apply to you? The Fair Credit Reporting Act defines the term consumer report to include information obtained from a consumer reporting company that is used – or expected to be used – in establishing a consumer’s eligibility for credit, employment, or insurance, among other purposes. Examples of consumer reports include credit reports, credit scores, reports businesses or individuals receive with information relating to employment background, check writing history, insurance claims, residential or tenant history, or medical history. Even if your company doesn’t service consumers, you all have employees, and all HR records are subject to this rule.
Now many of these regulations around information privacy and data security have the greatest affect on public companies, financial institutions, health care organizations or even retail chains with customer information stored on the computers that they may be returning at the end of a lease, or remarketing during a technology refresh, or when they are shipped to a recycler or even given to a charity. But as I mentioned, the Safeguards Rule of the Gramm-Leach-Bliley Act requires financial institutions to develop an information security plan that describes how the company protects clients’ nonpublic personal information . This means that at end-of-lease, for example, if you arrange pickup and transportation of those assets back to your environmental partner’s facility, it becomes your responsibility to safeguard those assets. This is where compliance leads directly to risk management all the way through the logistics process at end-of-lease or end-of-life.
PGP Corporation, a global leader in enterprise data protection, and the Ponemon Institute, a privacy and information management research firm, today announced results of the fourth annual U.S. Cost of a Data Breach Study . According to the study which examined 43 organizations across 17 different industry sectors... Data breach incidents cost U.S. companies $202 per compromised customer record in 2008, compared to $197 in 2007. Since the study’s inception in 2005, this cost component has grown by more than $64 on a per victim basis, nearly a 40% increase. Per incident costs in 2008 were $6.65M Third-party organizations accounted for more than 44 percent of all cases in the 2008 study and are also the most costly form of data breaches due to additional investigation and consulting fees. (LP’s would be considered a 3 rd part organization) More than 88% of all cases in this year’s study involved insider negligence.
There are several points in the I.T. asset collection process that present opportunities for theft or loss, or “risk opportunities” The first risk opportunity occurs during the packing process onsite – can you trust the crew and the quality of their packing? How are they recording what they’re packing? The next point of risk occurs when the truck pulls away with the pickup – how do you prove what they took, who they are, and where they’re going? The first cross-dock represents another risk opportunity – can you be sure your assets are not sitting outside or left unsecured? The next cross-dock or hub represents a similar risk. Can you be sure your assets are not mixed or switched with someone else’s? The point of delivery, or final destination is the last risk opportunity – can you be sure that what is off-loaded is complete, and what is audited is accurate?
As with most things, as soon as you try to reduce risk, you increase cost. And when you cut corners to reduce cost, you increase risk. On one end of these extremes is the cheap and easy way of having Joe’s Moving service come and pack up your client’s computers that have their customer data, patient data or financial data on the hard drives. They throw them on a pallet, shrink-wrap and take off. They don’t record any information about what they just took. They give those 3 pallets to Lowball Freight Company who runs it through 4 warehouses on the way to your environmental partner. At any point, any dock worker could take or swap any asset and it could be on eBay within 24 hours. How would you know? On the other end is to have the client pack up their own assets and have Brinks come and pick it up and their two armed guards drive it directly to your environmental partner. It’s extremely expensive, but very little risk. So let’s talk about the best practices—a way to try to get the best of both worlds without either exposing your organization to a lot of risk or costing your organization a fortune.
First, Onsite Packing – Use a provider who can certify that their crew is trained on packing I.T. assets. Make sure they record what they are packing as it’s packed, preferably in digital format to avoid the mistakes of hand-written notes. Ideally, start with a list of the client’s asset tag numbers of the assets to be taken so the client can verify their list to that of the Logistics Provider’s onsite crew.
Second, for the Pickup – 1. Make sure the same company that packs also picks up—with one touch to the customer. This gets closer to “one throat to choke” if things go wrong. The more parties involved in the process, the less secure it is. 2. Require a signed proof of pickup that documents how many of each asset type was picked up. 3. Make sure you have the driver’s name and signature on his company’s manifest so you know how to follow up if you need to. 4. Before you sign a release of the assets make sure at least the overall count by asset type matches your expectations.
Next, in transit – Make sure you can track your assets online while they are in transit. Ask which cross-docks or facilities your assets will be passing through. Ask about the security in place at each facility—there should be security cameras, screened personnel only, locked doors at all times and freight should never sit outside unless in a locked truck. Request that your pallets of assets be machine wrapped at the earliest opportunity to minimize load-shifting and damage.
Last, the final destination – can you be sure that what is off-loaded is complete, and what is audited is accurate? Make sure your environmental partner documents or photographs the condition of assets on the truck before they unload. Get a Proof of Delivery from the Logistics Provider. Make sure the Proof of Delivery matches the Proof of Pickup, and match the asset list from the pick up with audit report from the EP.
Get a Certificate of Collection to document every asset, every pallet, and every arrival and departure along the way. The basic premise for best practices on the logistics side is to maximize visibility and accountability throughout the I.T. asset collection process.
In order to cover your bases as far as accountability, start with the list of assets from your asset management system and match that to the proof of pickup; match that with the BOL from the LP. Find out about the security of the cross-docks your assets will pass through. Make sure your EP is properly certified. Make sure you can show a complete chain of custody in case there is a problem. And finally, match the certificate of collection with the certificate of destruction (or the audit from the leasing company or remarketer).
Encrypting your data does reduce your liability in the case of data theft, but data erasure is even better, even if it’s a quick erase, knowing that you’ll get DOD standard erasure at the EP’s facility.
There are a range of security options, all with varying costs and risks. Depending on the quantity of assets or hard drives, some options might be more feasible at a low cost per drive. Dedicated trucks are almost always among the more expense transport options, although among the safest. For higher quantities of drives, and if you have plenty of staff (with nothing else to do) who can remove them, onsite destruction might be an affordable option, but we’ve found you need at least a couple hundred to make this feasible. For low numbers of drives, you can remove the drives and ship them either unlocked by a secure transport like Fedex Critical or DunBar, or put them in a lockbox and ship them UPS Ground. It just depends on your budget and level of risk tolerance.
Believe it or not, there is no standard for logistics companies to comply with in terms of security or accountability. So OnePak devised it’s own standards for logistics partners to live up to.
2009 IAITAM Conference - Stockman
Best Practices: I.T. Asset Collection Presented by Shawn Stockman
About ONE PAK <ul><li>ONEPAK, Inc. is a reverse logistics technology company, uniquely specializing in the new regulatory-driven niche of I.T. asset collection and logistics. </li></ul><ul><li>The Company manages nationwide packing, tracking, and transportation of used computers and other electronics at end-of-life or end-of-lease. </li></ul>
Federal Regulations Require Secure Handling of Information Assets AKA “The Superfund Law” Any company who’s PC is found in a landfill will pay. CERCLA Act (1980)
Federal Regulations Require Secure Handling of Information Assets Requires “financial institutions” to protect their customers' data. Title V of the Gramm-Leach-Bliley Act (1999)
Federal Regulations Require Secure Handling of Information Assets Requires public companies to ensure the security of assets and the information stored on them. Sarbanes-Oxley Act (2002)
Requires health care providers to safeguard personal information. Federal Regulations Require Secure Handling of Information Assets HIPPA
Affects government agencies and contractors with HIPPA-like standards around internal controls and asset tracking. Federal Regulations Require Secure Handling of Information Assets Federal Information Security Management Act of 2002 (FISMA)
Disposal, Safeguards, and Privacy rules require the proper disposal of consumers’ personal information. Federal Regulations Require Secure Handling of Information Assets FTC – FACTA (Disposal Rule, 2005)
What are the risks & costs of data breach? <ul><li>U.S. Cost of Data Breach Study: </li></ul><ul><li>$202/compromised customer record--up 40% since 2005. </li></ul><ul><li>Average per-incident costs in 2008 were $6.65 million, up 5% compared to 2007. </li></ul><ul><li>Third-party organizations accounted for > 44 % of cases and are also the most costly. </li></ul><ul><li>More than 88% of all cases in this year’s study involved insider negligence. </li></ul>
Best Practices: I.T. Asset Collection 1. Make sure the crew is qualified. 2. Make sure they record every asset—digitally if possible. 3. Compare the client’s asset list to the Logistics Provider’s. Onsite packing Pickup Cross-docks & Hubs Delivery / Audit
Best Practices: I.T. Asset Collection 1. Make sure the same company that packs also picks up—with one touch to the customer. 2. Get Proof of Pickup. 3. Get the driver’s name and signature. 4. Know what you are signing before authorizing a release of the assets. Pickup Cross-docks & Hubs Delivery / Audit
Best Practices: I.T. Asset Collection 1. Track your assets online. 2. Ask which cross-dock facilities. 3. Ask about security at each facility. 4. Request machine-wrapping of your pallets. Delivery / Audit Cross-docks & Hubs
Best Practices: I.T. Asset Collection 1. Make sure EP documents the condition of assets before unloading. 2. Get a Proof of Delivery from the Logistics Provider. 3. Match the Proof of Delivery with the Proof of Pickup and the audit report. Delivery / Audit
<ul><li>Get a Certificate of Collection </li></ul>Best Practices: I.T. Asset Collection
Document the Recovery Process Recycler/ Remarketer In Transit Certificate of Destruction Cross-docks & Hubs Certificate of Collection
Protect data before you ship <ul><li>Encryption before transport – lowers liability </li></ul><ul><li>Erasure before transport & DOD standard erasure afterward </li></ul>
Packaging & Transport Options <ul><li>Dedicated secure trucks to certified shredder/recycler </li></ul><ul><li>Remove and shred hard drives onsite </li></ul><ul><li>Remove hard drives, ship unlocked by secure transport </li></ul><ul><li>Remove hard drives, ship in lockbox by common carrier </li></ul>
Resources <ul><li>National Association for Information Destruction ( www.NAIDonline.org ) </li></ul>The NAID Certification Program establishes standards for a secure destruction process including such areas as operational security, employee hiring and screening, the destruction process, responsible disposal and insurance.
Resources <ul><li>OnePak’s Certified I.T. Asset Collection Services </li></ul><ul><li>Certification Program guarantees only Certified I.T. Asset Handlers perform onsite packing according to strict SOP. </li></ul><ul><li>Provides Proof of Pickup, Proof of Delivery and Certificate of Collection. </li></ul><ul><li>All activities from uploaded asset list out of your asset management software, through delivery are viewable online. </li></ul>
Questions? <ul><li>Shawn Stockman </li></ul><ul><li>OnePak, Inc. </li></ul><ul><li>www.onepak.com </li></ul><ul><li>[email_address] </li></ul><ul><li>207.266.4362 </li></ul>